Web applications are computer applications which are accessed by users via a Web browser over a network such as the Internet or an intranet. Often, it is desired to limit or restrict access to a Web application to only valid or registered users. To prevent access to such user restricted Web applications by unknown or invalid users, valid users are typically required to login via a Web interface using an associated User ID and password which provide authentication of the user. Due to their convenience and ease of use, password-based user authentication is the most common means of authentication on the Web.
However, passwords have a poor reputation among security professionals as being potentially susceptible to online guessing attacks by invalid users or attackers. Because Web applications (or a Web site) are accessible over the Internet from anywhere in the world, an attacker is afforded a high degree of anonymity and impunity. An attacker running a program on a client machine or on thousands of “bots” (hijacked computers) may be able to submit thousands or even millions of password guesses per second.
To protect against such online guessing attacks, one conventional countermeasure employed by Web applications is to lock out a user account, which is identified by the User ID, after a selected number of consecutive failed login attempts using the User ID but an incorrect password. The user's password must then be reset or changed, or a timeout period must elapse (e.g., 24 hours) before logins to the user account are again permitted.
While such a technique or countermeasure is generally effective, there are several drawbacks. First, it can deny service to the legitimate or valid user by repeatedly locking out the user's account and preventing the legitimate user from using the Web application. Such a denial of service may be a side effect of the guessing attack, or it may be the goal of an attack that exploits the countermeasure.
Second, although such a countermeasure limits the number of consecutive incorrect password guesses, the total number of incorrect guesses is unlimited as long as the incorrect guesses are interleaved with valid logins by the legitimate user before the selected number of consecutive incorrect guesses is reached. As such, an attacker who is able to watch or monitor a user or who can otherwise determine a pattern of logins by a legitimate user has the opportunity for an unlimited number of guesses at a password without locking out a user or putting the user on notice that he/she is under attack. A Web application employing such a countermeasure is particularly vulnerable to such “denial of service” attacks by an ex-user who may know the User IDs of several or all of the legitimate or valid users.
Additionally, such a countermeasure does not address a situation created by “password capture” from a different Web site or Web application. Faced with the problem of having to remember USER IDs and passwords for a large number of Web sites and Web applications, many users simply reuse the same User IDs and passwords. An attacker may be able to exploit this by capturing User IDs and passwords from less protected Web sites or by setting up a malicious or rogue Web site for the purpose of collecting or capturing User IDs and passwords. The attacker can then employ these captured User IDs and passwords against a target Web application.
Another conventional countermeasure is to employ a technique commonly referred to as “password aging.” According to password aging techniques, a User is forced to change his/her password after a selected amount of time has expired (e.g., 3 months, 6 months, or 1 year), the idea being that the likelihood of a password being successfully guesses will be reduced. However, such a technique is inconvenient as a user is continually forced to remember a new password, regardless of whether the user account has been attacked by an invalid user, and because a user must first be assigned a temporary password by an administrator of the Web application (e.g., via a secure connection) before the user is able to change to a permanent password.